VYPR
Unrated severityNVD Advisory· Published Mar 10, 2026· Updated Mar 11, 2026

LinkAce has a Cross-User Tag/List Attachment IDOR in processTaxonomy()

CVE-2026-30954

Description

LinkAce is a self-hosted archive to collect website links. In 2.1.0 and earlier, the processTaxonomy() method in LinkRepository.php allows authenticated users to attach other users' private tags and lists to their own links by passing integer IDs.

Affected products

2
  • Linkace/Linkacellm-fuzzy2 versions
    <=2.1.0+ 1 more
    • (no CPE)range: <=2.1.0
    • (no CPE)range: <= 2.1.0

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.

CVE-2026-30954 · VYPR